In a staggering turn of events, the cybersecurity world has been shaken by the news of the largest distributed denial-of-service (DDoS) attack on record. Cloudflare, a prominent web security company, recently revealed that malevolent actors exploited a zero-day vulnerability in the HTTP/2 protocol to launch an unprecedented DDoS attack, reaching a mind-boggling 398 million requests per second. This onslaught surpasses the previous record of 71 million requests per second by more than fivefold.

Google, Cloudflare, and Amazon Web Services (AWS) unveiled this vulnerability and addressed its ramifications in official posts, and reveal that they have successfully mitigated the biggest DDoS layer 7 attacks recorded in August and September. These tech giants reported a disturbing trend, indicating that application-layer (layer 7) attacks of colossal proportions had become distressingly common over the past few months, with the peak activity observed in August. The primary objective of these attacks was to inundate their targets with an overwhelming number of packets, causing their systems to go offline, rendering them inaccessible to legitimate users. However, the sheer scale of this most recent assault, hitting 398 million requests per second (according to Google), has dwarfed anything seen before.

Surprisingly, the attack utilized a relatively modest botnet of approximately 20,000 compromised machines. While this might sound sizeable, it’s worth noting that Cloudflare frequently encounters botnets that comprise hundreds of thousands or even millions of machines. This stark difference in scale highlights the menace posed by this newly discovered vulnerability in the HTTP/2 protocol. In response to this unprecedented threat, Google, Cloudflare, and AWS have developed mitigation strategies. These include the implementation of advanced technologies and security measures to safeguard against future “Rapid Reset” attacks. Their combined efforts aim to provide substantial protection to online platforms and services, ensuring their continued availability in the face of such assaults.

“We were able to mitigate the attack at the edge of Google’s network, leveraging our significant investment in edge capacity to ensure our services and our customers’ services remained largely unaffected. As we understood more details about the attack methodology, we developed a set of mitigations and updated our proxies and denial-of-service defense systems to efficiently mitigate this technique. Since Google Cloud’s Application Load Balancer and Cloud Armor use the same hardware and software infrastructure that Google relies on to serve its own internet-facing services, the Cloud customers who use those services have their Internet-facing web apps and services similarly protected,” Google wrote in a blog post.

The “Rapid Reset” vulnerability, marked as CVE-2023-44487, takes advantage of a fundamental protocol used by a significant portion of internet traffic, making it a critical concern for online security. The ability to launch such a massive attack with a relatively small botnet sends a clear message: even with limited resources, malicious actors can create chaos on a global scale. Given the enormous volume of internet traffic – typically between 1 to 3 billion requests per second – this new attack method can concentrate an entire web’s worth of requests on a handful of targets.

The “Rapid Reset” vulnerability takes advantage of stream multiplexing, a core feature of the HTTP/2 protocol. This feature allows multiple HTTP requests to be sent to a server over a single TCP connection. Requests are streamed sequentially to the server via this connection, and the server processes them in the order received. This approach is designed to be more efficient than the traditional approach in HTTP/1.x, which requires establishing multiple parallel TCP connections to fetch resources from a server.